Date: Tue, 8 Jul 2008 19:11:35 +0530 From: "Ivan Grover" <ivangrvr299@gmail.com> To: "Peter Jeremy" <peterjeremy@optushome.com.au> Cc: freebsd-security@freebsd.org Subject: Re: OPIE Challenge sequence Message-ID: <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> In-Reply-To: <20080708113030.GN62764@server.vk2pj.dyndns.org> References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you so much for your responses. By "predetermined ", i meant the challenges appear sequentially in decremented fashion, so are we aware of any security hole with this. I ask this because usually the challenge/response implementations consider generating random challenges( i think here they have a weakness where the passphrase need to be in clear text). My problem is to determine the best challenge/response implementation for authenticating the clients. Please correct me if i missed something. Thanks and Regards, Ivan On Tue, Jul 8, 2008 at 5:00 PM, Peter Jeremy <peterjeremy@optushome.com.au> wrote: > On 2008-Jul-08 15:46:37 +0530, Ivan Grover <ivangrvr299@gmail.com> wrote: > >Iam trying to choose OPIE as my OTP implementation for authenticating the > >clients. I have the following queries, could anyone please let me know > these > >-- why does the challenge in OPIE are in predetermined form.. > >is it for determining the decryption key for the encrypted > passphrase(stored > >in opiekeys). > > The passphrase is not encrypted - it is hashed and cannot be "decrypted". > Basically, the passphrase and seed are concatenated and the result is > hashed (using MD5) the number of times specified by the iteration count > and the seed, count and final hash are stored in /etc/opiekeys. > > The supplied response is easily verified because when you run it thru > MD5, you should get the hash in /etc/opiekeys. You then replace that > hash with the one the user supplied. > > >-- is it possible to generate random challenges using opiechallenge > > No. The seed has to match the seed that was used to generate the > hash with opiepasswd. > > -- > Peter Jeremy > Please excuse any delays as the result of my ISP's inability to implement > an MTA that is either RFC2821-compliant or matches their claimed behaviour. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?670f29e20807080641wb6f76cctfacfbb2af2f4f7e9>